Occupation classifications for individuals performing activities to advance its cybersecurity mission. DHS would be required to ensure that the classifications be made available to other federal agencies.

A workforce strategy that enhances the readiness, capacity, training, recruitment and retention of the DHS cybersecurity workforce, including a multi-phased recruitment plan and a 10-year projection of federal workforce needs.

A process to verify that employees of independent contractors who serve in DHS cybersecurity positions receive initial and recurrent information security and role-based security training commensurate with assigned responsibilities.

The bill also directs DHS's chief human capital officer and chief information officer to assess the readiness and capacity of the department to meet its mission to protect government and private-sector IT. It requires the DHS secretary to provide Congress with updates on the development and implementations of cybersecurity strategies, assessments and training.

Jane Holl Lute, who stepped down in April as DHS deputy secretary, says provisions in the bill would reinforce steps taken by the department. Lute, chief executive of the Council on Cybersecurity, a not for profit promoting a secure Internet, says DHS had designated each of some 1,500 positions in the department into one of 11 critical cybersecurity skills.

Lute says future hiring will be based on those designated skills. "DHS has refined the job descriptions, standards of competency performance and other requirements of each of these positions," she says. "The plan was to offer this material to all federal departments."

Evolving InfoSec Workforce

Diana Burley, associate professor at George Washington University's Graduate School of Education and Human Development, says recruitment plans are valuable but they depend, in a large part, to the ability of each agency to define occupations (see Pitfalls of Professionalizing InfoSec).

But Burley says it will be very difficult for DHS to develop a 10-year projection for a cybersecurity workforce. "The full scope of the workforce has yet to be defined, and the nature of the work - and thus, the workforce - is constantly evolving."

The sponsor of the bill, Rep. Yvette Clarke, a New York Democrat who is the ranking member of the panel's cybersecurity subcommittee, says the legislation is aimed at helping battle cyberthreats "by establishing a process for recruiting and retaining high-level specialists in cybersecurity at the Department of Homeland Security that other federal agencies and private companies will have the ability to access."

Lack of Clearly Defined Skills

David Maurer, GAO director of homeland security and justice issues, says IT security recruitment at DHS is hampered by the lack of clearly defined skill sets or a unique occupational series. Maurer says DHS officials told the congressional auditors that they're working to better define and strengthen the required skills set for cybersecurity personnel, including pursuing a specific cybersecurity personnel jobs series, which could help improve recruiting and hiring.

Karen Evans, national director of U.S. Cyber Challenge, a group focused on building America's IT security workforce, says defining specific IT security occupations would help agencies, including DHS, determine what skills should be applied to particular jobs.

"If you came up with specific labor categories or these job classification series, then employers would be able to better provide worker balance and recruit," says Evans, who formerly served as the federal government's administrator for e-government and information technology, a post that now has the additional title of federal chief information officer.

Evans says most IT security personnel are classified in one of the few computer categories. "It's really hard to recruit [without occupation classifications] because you're not necessarily sure what people's experience level is because everybody is lumped into one series," she says.

The Office of Personnel Management is working with other federal agencies to implement a special workforce project to require agencies' cybersecurity, information technology and human resources organizations to build a statistical data set of existing and future cybersecurity positions to be stored in OPM's data warehouse by Sept. 30.

"The new databank will enable agencies to identify and address their needs for cybersecurity skill sets to meet their missions," OPM Acting Director Elaine Kaplan says in a memo issued in July.

Defining the Cybersecurity Workforce

In her memo, Kaplan referenced work being conducted by the National Initiative for Cybersecurity Education, which has issued the National Cybersecurity Workforce Framework, comprising 31 specialty IT security areas organized into seven categories:

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.